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Abstract. We give an explicit coinduction principle for recursively- defined stochastic 
processes. The principle applies to any closed property, not just equality, and works 
even when solutions are not unique. The rule encapsulates low-level analytic arguments, 
allowing reasoning about such processes at a higher algebraic level. We illustrate the use 
of the rule in deriving properties of a simple coin-flip process. 



1. Introduction 

Coinduction has been shown to be a useful tool in functional programming. Streams, 
automata, concurrent and stochastic processes, and recursive types have been successfully 
analyzed using coinductive methods; see [H LH 13 LH1 E] and references therein. 

Most approaches emphasize the relationship between coinduction and bisimulation. In 
Rutten's treatment [11] (see also [3[T]), the coinduction principle states that under certain 
conditions, two bisimilar processes must be equal. For example, to prove the equality of infi- 
nite streams a = merge(split(<r)), where merge and split satisfy the familiar coinductive 
definitions 

merge(a :: cr, r) = a :: merge(r, a) 

#l(split(a :: b :: p)) = a :: #l(split(p)) 

#2(split(a :: b :: p)) = b :: #2(split(p)), 

it suffices to show that the two streams are bisimilar. An alternative view is that cer- 
tain systems of recursive equations over a certain algebraic structure have unique solutions. 
Desharnais et al. (3J [7] study bisimulation in a probabilistic context. They are primarily 
interested in the approximation of one process with another. Again, they focus on bisimu- 
lation, but do not formulate an explicit coinduction rule. 

In this paper we introduce a generalization of the coinduction principle that applies to 
other properties besides equations and to situations in which solutions are not unique. We 
illustrate its use with an extended example that demonstrates how the rule encapsulates low- 
level analytic arguments involving convergent sequences in its proof of soundness, thereby 
allowing reasoning about such processes at a higher algebraic level. 
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2. An Example 

Consider the following procedure for simulating a coin of arbitrary real bias q, < q < 1, 
with a coin of arbitrary real bias p, < p < 1/2. We assume unit-time exact arithmetic on 
real numbers. 

1 boolean Qflip(</) { 

2 if (q > p) { 

3 if (PflipQ) return true; 

4 else return Qflip(((7 — p)/(l — p)); 

5 } else { 

6 if (PflipQ) return QFLlp(g/p); 

7 else return false; 

8 } 

9 } 

Intuitively, if q > p and the bias-p coin flip returns heads (true), which occurs with proba- 
bility p, then we halt and output heads; this gives a fraction p/q of the desired probability 
q of heads of the simulated bias-g coin. If the bias-p coin returns tails, which occurs with 
probability 1 — p, we rescale the problem appropriately and call Qflip tail-recursively. Sim- 
ilarly, if q < p and the bias-p coin returns tails, then we halt and output tails; and if not, 
we rescale appropriately and call Qflip tail-recursively. 

On any input < q < 1, the probability of halting is 1, since the procedure halts with 
probability at least p in each iteration. The probability that Qflip halts and returns heads 
on input q exists and satisfies the recurrence 

„, . jp H($), if«<J>, ,,,, 

H(q) = \p + ('-,) ■*«=!), ( ' 

Now H* (q) = q is a solution to this recurrence, as can be seen by direct substitution. There 
are uncountably many other solutions as well, but these are all unbounded (see Section 
bmce H* is the unique bounded solution, it must give the probability of heads. 

We can do the same for the expected running time. Let us measure the expected 
number of calls to Pflip on input q. The expectation exists and is uniformly bounded on 
the unit interval by 1/p, the expected running time of a Bernoulli (coin-flip) process with 
success probability p. From the program, we obtain the recurrence 

Ul-p).\ + p.(l + E (^)), i£q<p, 
\pl + (l-p).(l + £ (fz£)), ■ l£q>p 

fl + P •£()(§), if q<P, 

\l + (l- p ).£ (f=£), if g>p . 

The unique bounded solution to this recurrence is 

E*(q) = 1 + ( 2 . 2 ) 
p 1 — p 

That it is a solution can be ascertained by direct substitution; uniqueness requires a further 
argument, which we will give later. As before, there are uncountably many unbounded 
solutions, but since Eq is the unique bounded solution, it must give the expected running 
time for any q. 



E (q) 
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The situation gets more interesting when we observe that slight modifications of the 
algorithm lead to noncontinuous fractal solutions with no simple characterizations like (|2.2p . 
The fractal behavior of stochastic processes has been previously observed in [6]. 

Currently, when q > p, we halt and output "heads" when Pflip gives heads, which 
occurs with probability p. But note that we can save some time when q > 1 —p. In that case, 
we can halt and report heads if Pflip gives tails, which occurs with the larger probability 
1 — p. This allows us to take off a larger fraction of the remaining "heads" weight of the 
bias-g coin. If Pflip gives tails, we must still rescale, but the rescaling function is different. 
The new code is in lines 2-4. 

l boolean QFLIP(g) { 



2 


if (q > 1-p) { 




3 


if (PflipQ) return QFLip((g — 


(i-p)Vp); 


4 


else return true; 




5 


} else if (q > p) { 




6 


if (Pflip()) return true; 




7 


else return Qflip((<7 —p)/{l — 


p)); 


8 


y else { 




9 


if (PflipQ) return Qflip^/p) 


5 


10 


else return false; 




11 


} 




12 } 







The recurrence for the expected running time is 

E 1 {q) = l + r(q)E 1 (f 1 (q)), (2.3) 

where 

if q < V 

lip < q <l-p (2.4) 
if q > 1 — V 

r{q) = < . (2.5) 

I p, otherwise. 

Again, there is a unique bounded solution 

oo n— 1 

Ef(q) = EII^W)' 

n=0 j=0 

but there is no longer a nice algebraic characterization like ([2.2p . The solution for p = 1/4 is 
the noncontinuous fractal shown in Fig. [H shown compared to the straight line Eq running 
from 4/3 to 4. The large discontinuity at q = 1 — p = 3/4is due to the modification of the 
algorithm for q > 1 — p, and this discontinuity is propagated everywhere by the recurrence. 

Fig. [Hand intuition dictate that E* < Eq , but how do we prove this? Not by induction, 
because there is no basis. One might briefly imagine that it is because the second process 
halts no later than the first on any predetermined sequence of coin flips, but there are 
trivial counterexamples. An analytic argument involving convergence of sequences seems 
inevitable. 



fi(q) 



p< 

q-p 
x-pi 

g-O-p) 
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However, there is a simpler alternative. It will follow from our coinductive proof prin- 
ciple that to conclude E* < E Q , it suffices to show that T(E\){q) < E (q) whenever 
El(fl(l)) — Eo (fi(l))i where r is a suitably defined operator representing the unwinding 
of the recurrence (|2.3p once. This property is easily checked algebraically, and no analysis 
is necessary. 

We can modify the algorithm further to try to achieve more savings. If 1/2 < q < 1—p, 
it would seem to our advantage to remove p from the tail probability of q rather than from 
the head probability. The intuition behind this heuristic is that that when q is in one of the 
regions [0,p] or [1 — p, 1] , we can halt in the next step with the higher probability 1 — p. 
If q > 1/2, then the proposed new action will cause q to move to the right toward the closer 
good region [1 — p, 1] instead of to the left, thereby getting to a good region faster. The 
new code is in lines 5-7. 

1 boolean QFLIP(g) { 

2 if (q > 1-p) { 

3 if (Pflip()) return QFLlP((g — (1 -p))/p); 

4 else return true; 

5 } else if (q > 1/2) { 

6 if (PFLIP0) return false; 

7 else return Qflip((//(1 — p)); 

8 } else if (q > p) { 

9 if (Pflip()) return true; 

10 else return QFLIp((g — p)/(l — p))\ 
n } else { 

12 if (Pflip()) return QFLlP(g/p); 

13 else return false; 

14 } 

15 } 

The recurrence is 

E 2 (q) = l + r(q)E 2 (f 2 (q)) (2.6) 
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with 



f2(q) 



fEf, ifp<g<l/2, 

if 1/2 < q< 1-p, 
if q > 1 — p, 



g 

i-p> 

g-(i-p) 



and r(g) as given in (|2.5|) , The symmetric fractal solution 

oo n— 1 

£ 2 *(<?) = Eii r ^)) 

n=0 j=0 

is shown in Fig. [2 




Figure 2: Fractal solution of (|2.6p 

Intuition seems to say that this solution should be at least as good as E* , but it turns 
out that this is not always the case. By unwinding the recurrences a few steps and using 
the lower bound 

1 



1 — p' 



E* 2 {q) > Y,P n 

n=0 

it can be shown that for p = 1/4, 

E* (11/20) = 5/2 = 2.5 

£#(11/20) > 323/128 2.5234375... . 

Moreover, this inversion holds on an open interval containing 11/20 and countably many 
other open intervals. 

One might ask whether there is a slight modification of E% that is everywhere better 
than E*. The answer is yes: take the breakpoint not at 1/2, but at 

c = max((l — p) 2 , 1 — (1 — p) 2 ), 

provided p < (1 — p) 2 . For p = 1/4, this gives c = 9/16. Now the recurrence is 



EM = l + r(q)E 3 (f 3 (q)) 



(2.7) 
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with 



fs(q) 



i 
P' 

g-p 
<? 

g-(l-p) 
P 



if q < p, 
if p < q < c, 
if c < g < 1 — p, 
, if g> > 1 — p. 

0.382, this modification will not work for all 



(Since p < (1 — p) 2 implies p < (3 
p.) 

Now we wish to show that E$ < E* on the whole unit interval. Note that we are 
comparing two nowhere-differentiable functions^; we have no nice algebraic description of 
them save as solutions of the recurrences Ei{q) = 1 + r(q)Ei(fi(q)). However, we can prove 
the desired inequality purely algebraically using the coinductive principle below, without 
recourse to analysis. We outline a proof below, after we have stated the principle and proved 
its validity. 



3. A Coinduction Principle 

In this section we state and prove a coinduction principle that will allow us to derive 
properties of stochastic processes. The version we will use is most conveniently formulated 
in terms of bounded linear operators on a Banach space (complete normed linear space), 
but is closely related to a coinduction principle that holds in arbitrary complete metric 
spaces. We treat the metric version first. 

Let (V, d) be a complete metric space. A function r : V — > V is contractive if there 
exists a c < 1 such that for all u, v G V, cI(t(u),t(v)) < c ■ d(u,v). The value c is called 
the constant of contraction. A continuous function r is said to be eventually contractive if 
r n is contractive for some n > 1. Contractive maps are uniformly continuous, and by the 
Banach fixpoint theorem, any such map has a unique fixpoint in V . 

The fixpoint of a contractive map r can be constructed explicitly as the limit of a 
Cauchy sequence n, r(u), r 2 (u), . . . starting at any point u S V. The sequence is Cauchy; 
one can show by elementary arguments that 

d{T n+m {u),T n {u)) < C n {l-C m )(l-C)- 1 -d(T{u),u). 

Since V is complete, the sequence has a limit u* , which by continuity must be a fixpoint of 
r. Moreover, u* is unique: if t(u) = u and t(v) = v, then 

d(u,v) = d(r(u), r(w)) < c • d(u,v) =^ d(u, v) = 0, 

therefore u = v. 

Eventually contractive maps also have unique fixpoints. If t™ is contractive, let u* be 
the unique fixpoint of r n . Then t(u*) is also a fixpoint of T n . But then d(u* , t(u*)) = 
d(T n (u*),T n+1 (u*)) < c- d(u* , t(u*)), therefore u* is also a fixpoint of r. 

In this framework, the coinduction rule takes the following simple form. If (p is a closed 
nonempty subset of a complete metric space V, and if r is an eventually contractive map 

^Hermite and Poincare eschewed such functions, calling them a "dreadful plague". Poincare wrote: 
"Yesterday, if a new function was invented, it was to serve some purpose; today, they are invented only to 
debunk the arguments of our predecessors, and they will never have any other use." 
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on V that preserves ip, then the unique fixpoint u* of r is in tp. Expressed as a proof rule, 
this says for tp a closed property, 

3u <p(u) Mu tp(u) => <p(t(u)) 
<p(u*) 

This is quite easily proved. Since <p is nonempty, it contains a point u. Since <p is preserved 
by r, all elements of the sequence T n {u) are contained in <p. Finally, since ip is closed, the 
fixpoint u is contained in ip, since it is the limit of a Cauchy subsequence. 

For our purposes, the coinduction principle is most conveniently expressed in the follow- 
ing form. This form makes clear how the principle allows analytic arguments to be replaced 
by simpler algebraic ones. See [3] for the necessary background. 

Let B be a Banach space (complete normed linear space) over C and let R be a bounded 
linear operator on B {bounded is synonymous with continuous for linear operators on B). 
The spectrum of R, denoted o~(R), is the set of complex numbers A such that XL — R is not 
invertible. The spectral radius of R is 



where 



sup |A| = inf VII R n ||, (3.2) 

Xe<r(R) n 



R || = sup || R(x) 
IMI=i 



Suppose that / — R is invertible; that is, 1 a(R). Let a £ B. Then there is a unique 
solution e* of the equation e = a + Re, namely e* = (I — i?) _1 a. 

Theorem 3.1. Consider the affine operator r(e) = a + -Re, where R is a bounded linear 
operator with spectral radius strictly less than 1. Lei p C B be a closed nonempty region 
preserved by r. T/ien e* G p. 

Proof. By (j3.2|) . if the spectral radius of R is less than 1, then R is eventually contractive; 
that is, there exists n such that || R n ||< 1. Then r is also eventually contractive, since 

n— 1 n— 1 

||r n (e) -r n (e') || = || ^ R\a) + R n {e) - ^ R\a) - R n {e') \\ 

i=0 i=0 

= || R n (e - e') || 

< II • lle-e'll . 



It follows from (13. 1} that the unique fixpoint of r n is contained in tp. But this fixpoint must 
be e* , since e* is a fixpoint of r. □ 

Restated as a proof rule, Theorem 13.11 takes the following form: 

Theorem 3.2. Let r be as in Theorem \3.1\ Let ip be a closed property. The following rule 
is valid: 

3e ip(e) Ve ip(e) ip{r{e)) 



More generally, for any n > 1, 

Be tp(e) Ve <p(e) =>- <p(T n (e)) 



<p(e*) 
\/e ip{ 



(3.3) 
(3.4) 
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Proof. The rule (13, 3j) is just a restatement of Theorem l3.ll The rule (I3.4p follows by applying 
(|3.3p to the closed property ip(e) = \f™=Q ip(r i (e)). This is a closed property because r is 
continuous on B. □ 

For example, to show that E* < Eq using the rule f)3.3[) . we take B to be the space 
of bounded real- valued functions on the unit interval, a = Xx.l, R ■ B — > B the bounded 
linear operator 

R = \E.\q-r{q)E{h(q)) (3.5) 
with spectral radius 1—p, <p(E) the closed property 

Vq E{q) < ^ + ^, 
p 1 — p 

and 

t{E) = A?.(l+r(?)£7(/i(g))) = Xq.(l + RE(q)), (3.6) 

where f\ and r are as given in (12.41) and (|2.5|) . That the spectral radius of R is at most 
1—p follows immediately from (|3.2j) , since 



|| R || = sup sup | RE(q) \ = sup sup | r(q)E(fi(q)) \ < 1—p. 
\\E\\=1 q \\E\\=1 Q 

That it is exactly 1 — p requires a further argument, which we defer to Section SJ 
Now the desired conclusion is 

Vg Ef(q) < q -+ 1 —^, (3.7) 
p 1—p 

and the two premises we must establish are 

3E yqE(q) < (3.8) 
p 1—p 

VE (y qE (q)<l + ^ V qT (E)( q )<l + l^l\ (3.9) 

\ pi— p pi— p J 

The premise (I3.8P is trivial; for example, take E = Xq.O. For (13. 9D . let E be arbitrary. We 
wish to show that 

E(q) < - + j—^- Vqr(E)( q )<?- + ^LA. ( 3 .10) 
p 1 — p pi — p 

Picking q arbitrarily on the right-hand side and then specializing the left-hand side at f\ (q) , 
it suffices to show 

E(Mq)) <fM + l^JM + T(£)W <? + 1^. (3.11) 

p 1—p pi— p 

Substituting the definition of r, we need to show 

E{h(q))< f -^+ 1 —^ l + r( g )E(f 1 ( q ))< q -+ 1 -^. (3.12) 
p 1—p pi— p 

The proof breaks into three cases, depending on whether q < p, p < q < 1 — p, or q > 1— p. 
In the first case, fi(q) = q/p and r(q) = p. Then (I3.12p becomes 

p p z 1 — p p pi— p 
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But 



p p 2 1 — p pi— p 

The remaining two cases are equally straightforward. The last case, q > 1 — p, uses the fact 
that p < 1/2. 

One can also prove closed properties of more than one function E. For example, as 
promised, we can show that E^ < E* whenever 

max((l — p) 2 , 1 — (1 — p) 2 ) < c < 1 — p. 

For this application, B is the space of pairs (E,E'), where E and E' are bounded real- 
valued functions on the unit interval, a = (Ax.l, Ax.l), and R : B — > B is the bounded 
linear operator 

R(E,E') = (Ag.r(g)^(/ 3 (?)),Ag.r(g)S / (/ 1 (g))) 

with spectral radius 1 — p. The closed property of interest is E < E', but we need the 
stronger coinduction hypothesis 

tp(E,E') = VqE(q)<E'(q) (3.13) 

A E(q) > -J— (3.14) 
1 — p 

A p<q<l-p => E'{q) > 2 (3.15) 

A E'(q) < q - + (3.16) 
p 1—p 

A < q < p E(q) = E(q+l-p). (3.17) 

Equivalent to (|3.17p is the statement 

1-P<q<l E(q)=E(q-{l-p)). (3.18) 

There certainly exist (E, E') satisfying ip. We have also already argued that coinduction 
hypothesis (|3.16p is preserved by r. The argument for (|3.14p is similar. For (|3.17p . if 
< q < p, then 

1—p < q + 1 — p < 1, 

therefore 

r(q) = r{q+l—p) = p 



/3(« + l-p) 



P 

(q + 1 -p) - (1 -p) 



p p 
It follows that 

l+r(q)E(f 3 {q)) = 1 + r(q + 1 - p)E(f 3 (q + 1 - p)) = l+ P E(q/p). 
For pi5]l . j£p<q<l-p, then 

r(q) = 1—p 
E'(fM) > ' 



1—p 
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by the coinduction hypotheses (|3.13j) and (13,14p . thus 

1 + r{q)E'{f x {q)) > l + (l-p)-J_ = 2. 

1-p 

Finally, for (|3.13p . we wish to show 

l+r{q)E(h{q)) < 1 + r{q)E' {h{q)), 

or equivalently, 

E(h(q)) < E\h{q))- (3-19) 

Since f\ and f% coincide except in the range c < q < 1 — p, we need only show (|3.19p for q 
in this range. 

It follows from the assumptions in effect that 



thus 



P < h{q) = 7—^ < l-P < -r— = fs(q), 
1 — p 1 — p 

E(f 3 (q)) = E(— (1 - p)) by pTTl) . in the form (l3~T8l) 

1 — p 



T^-(l-p) l-(^--(l-p)) 

< i^p_^ P_l + V JL by dam) 

p l-p 

, q , 1 — 2p 

= (— 1)-; + 2 

1 — p p(l — p) 

< 2 since p,q < 1 — p 

< E\h(q)) hy^M- 

We can conclude from the coinduction rule that ip{E^, E*). Note that nowhere in this 
proof did we use any analytic arguments. All the necessary analysis is encapsulated in the 
proof of Theorem 13.11 

As a final application, we show how to use the coinductive proof rule f|3.3|) of Theorem 
13.21 to argue that for p < 1/2, the function E* is nowhere differentiable. We do this by 
showing that E* has a dense set of discontinuities on the unit interval. 

First we show that E* has discontinuities at p and 1 — p. We know from clause (|3.15p 
of the previous argument that for all q in the range p < q < 1 — p, 

E*(q) > 2. (3.20) 

Also, by (|3.7p . we have that E*(q) < 1/p for all q. Then for e < p 2 , unwinding the defining 
recurrence (12. 3p for E* twice yields 

Ef(l-p + e) = l+p + p 2 Ef(A I ) < l + 2p (3.21) 



V 



E*ip-e) = l+p + p l El{\- -A < l + 2p. (3.22) 

pi 

Since 1 + 2p < 2, (|3.20p - (|3.22p imply that E* has discontinuities at p and 1 — p. 

Finally, we show that every nonempty open interval contains a discontinuity. Suppose 
for a contradiction that E* is continuous on a nonempty open interval (a,b). The interval 
(a, b) can contain neither p nor 1 — p, so the entire interval must be contained in one of the 
three regions (0,p), (p,l—p), or (1 — p, 1). 
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Suppose it is contained in (0,p). Then 

E*{q) = l+pE?(q/p) 

for a < q < b, thus 

E*(q/p) = (Ef(q)-l)/p 

for a/p < q/p < b/p, so E* is also continuous on the interval (a/p,b/p). But the length of 
this interval is (b — a)/p, thus we have produced a longer interval on which E* is continuous. 

A similar argument holds if (a, b) is contained in one of the intervals (p, 1 — p) or 
(1 — p, 1). In each of these three cases, we can produce an interval of continuity that is 
longer than (a, b) by a factor of at least 1/(1 — p). This process can be repeated at most 
log(6 — a)/log(l — p) steps before the interval must contain one of the discontinuities p or 
1 — p. This is a contradiction. 



4. Unbounded Solutions 

That these coinductive proofs have no basis is reflected in the fact that there exist un- 
bounded solutions in addition to the unique bounded solutions. All unbounded solutions are 
necessarily noncontinuous, because any continuous solution on a closed interval is bounded. 

Theorem 13.11 does not mention these unbounded solutions, because they live outside 
the Banach space B. Nevertheless, it is possible to construct unbounded solutions to any 
of the above recurrences. All these recurrences are of the form 

E(q) = a + r(q)E(f(q)). (4.1) 

Let G be the graph with vertices q £ [0, 1] and edges (q, f(q))- Note that every vertex in G 
has outdegree 1. Let C be an undirected connected component of G. One can show easily 
that the following are equivalent: 

(i) C contains an undirected cycle; 

(ii) C contains a directed cycle; 

(hi) for some q G C and k > 0, f k (q) = q. 
Call C rational if these conditions hold of C, irrational otherwise. For example, for f\ given 
in (|2.4p . the connected components of and 1 are rational, since /i(0) = and /i(l) = 1. 
There are other rational components besides these; for example, if p = 1/4, the component 
of q = 11/20 is rational, since f? (11/20) = /^(H/20) = 1/5. 

Now any solution E of (14,1ft must agree with the unique bounded solution E* on the 
rational components: if f k (q) = q, then unwinding the recurrence k times gives 

fc-ln-l /fc-i \ 

n=0 i=0 \i=0 J 

therefore 

E() = «Etonr=oM/%)) 

But the values of E on an entire connected component are uniquely determined by its 
value on a single element of the component, since E{q) uniquely determines E(f(q)) and 
vice-versa. Thus E and E* must agree on the entire component. 
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We note in passing that this allows us to construct an E such that RE = (1 — p)E, 
where R is the linear operator of (|3.5p . thereby establishing that the spectral radius of R 
is 1 — p. Take E(l) = 1, then inductively define E{q) = r(q)E(fi(q))/(l — p) for all other q 
in the component of 1 and E(q) = otherwise. Then || E || = 1, and 

RE(q) = r{q)E{h{q)) = r(q)E(q) • ^ = (l-p)E{q). 

For an irrational component, since there are no cycles, it is connected as a tree. We 
can freely assign an arbitrary value to an arbitrarily chosen element q of the component, 
then extend the function to the entire component uniquely and without conflict. 

For / G {/i,/2,/s} of the examples of Section there always exists an irrational 
component. This follows from the fact that if f k (q) = q, then q is a rational function of p; 
that is, q is an element of the field Q(p). To see this, note that any f k (q) is of the form 



pm(\ ip\k—m 

for some < m < k and r G Q(p). This can be shown by induction on k. Solving f k (q) = q 
for q gives 

rp m (l — p\ k ~ m 

q = i_ r(1 _ p) fc- m e Q(p)- 

Thus the component of any real q G" Q(p) is an irrational component. There exist uncount- 
ably many such q, since <Q(p) is countable. In fact, there are uncountably many irrational 
components, since each component is countable, and a countable union of countable sets 
is countable. Moreover, it can be shown that if q\ and q 2 are in the same component, 
then Q(p,qi) = Q(p,q 2 )- This is because if q\ and q2 are in the same component, then 
f kl (qi) = f k2 (Q2) for some k±, k 2 S N, so 
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(1 _ pm.2 ^ _ pjk2-m,2 

therefore G Q(p, q 2 ) and q 2 G Q(p,qi). 

We have thus characterized all possible solutions. 



5. Why Is This Coinduction? 

The reader may be curious why we have called the rule (|3.3p a coinduction rule, since 
it may seem different from the usual forms of coinduction found in the literature. The form 
of the rule and its use in applications certainly bears a resemblance to other versions in the 
literature, but to justify the terminology on formal grounds, we must exhibit a category of 
coalgebras and show that the rule (|3,3p is equivalent to the assertion that a certain coalgebra 
is final in the category. 

Say we have a contractive map r on a metric space B and a nonempty closed subset 
ip C B preserved by r. Define t(c^) = {t(s) \ s G (/?}• Consider the category C whose objects 
are the nonempty closed subsets of B and whose arrows are the reverse set inclusions; thus 
there is a unique arrow ip\ — > ip 2 iff fi 5 V?2- The map f defined by f((p) = cl(r(<^)), where 
cl denotes closure in the metric topology, is an endofunctor on C, since f((f) is a nonempty 
closed set, and (p% 5 ^2 implies f (ipi) 5 T(ip 2 ). A r-coalgebra is then a nonempty closed set 
(p such that ip 5 ^(y); equivalently, such that ip 5 T (y)- The final coalgebra is {e*}, where 
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e* is the unique fixpoint of r. The coinduction rule (|3.3h says that <p D T~((p) <p D {e*}, 
which is equivalent to the statement that {e*} is final in the category of r-coalgebras. 

6. Future Work 

There is great potential in the use of proof principles similar to those of Theorem [221 for 
simplifying arguments involving probabilistic programs, stochastic processes, and dynamical 
systems. Such rules encapsulate low-level analytic arguments, thereby allowing reasoning 
about such processes at a higher algebraic or logical level. A few such applications have 
been described in the theory of streams, Markov chains and Markov decision processes, and 
non- well-founded sets [10]. Other possible application areas are complex and functional 
analysis, the theory of linear operators, measure theory and integration, random walks, 
fractal analysis, functional programming, and probabilistic logic and semantics. 

In particular, probabilistic programs can be modeled as measurable kernels R(x, A), 
which can be interpreted as forward-moving measure transformers or backward-moving 
measurable function transformers [21 E] - The expectation functions considered in this paper 
were uniformly bounded, but there are examples of probabilistic programs for which this is 
not true. It would be nice to find rules to handle these cases. 

An intriguing open problem is whether the optimal strategy for the coin-flip process 
of Section [2] is decidable. Specifically, given rational p, q, < p, q < 1, and a flip of the 
bias-p coin, can we decide what action to take to minimize the expected running time? It 
is known that is not necessarily optimal. 
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